Hello,
we have a message to *@transfennica.com. Postfix lookup the MX ( mail.spliethoff.nl) and try to validate vi DANE. That fail: Jun 9 11:55:00 mail postfix/smtp[12345]: warning: TLS policy lookup for transfennica.com/mail.spliethoff.nl: TLSA lookup error for mail.spliethoff.nl:25 Jun 9 11:55:00 mail postfix/smtp[12345]: warning: TLS policy lookup for transfennica.com/smtp.spliethoff.nl: TLSA lookup error for smtp.spliethoff.nl:25 Jun 9 11:55:00 mail postfix/smtp[12345]: QUEUEID: to=postmaster@transfennica.com, relay=none, delay=0.75, delays=0.13/0/0.62/0, dsn=4.7.5, status=deferred (TLSA lookup error for smtp.spliethoff.nl:25)
OK, I went to dane.sys4.de, (thanks for the service) but simply got "transfennica.com don't use DNSSEC" It would be helpful the validator would do the MX lookup and check the MX hosts like postfix does.
Thanks, Andreas
On Thu, Jun 09, 2016 at 01:10:54PM +0200, Andreas Schulze wrote:
we have a message to *@transfennica.com. Postfix lookup the MX ( mail.spliethoff.nl) and try to validate vi DANE. That fail: Jun 9 11:55:00 mail postfix/smtp[12345]: warning: TLS policy lookup for transfennica.com/mail.spliethoff.nl: TLSA lookup error for mail.spliethoff.nl:25 Jun 9 11:55:00 mail postfix/smtp[12345]: warning: TLS policy lookup for transfennica.com/smtp.spliethoff.nl: TLSA lookup error for smtp.spliethoff.nl:25 Jun 9 11:55:00 mail postfix/smtp[12345]: QUEUEID: to=postmaster@transfennica.com, relay=none, delay=0.75, delays=0.13/0/0.62/0, dsn=4.7.5, status=deferred (TLSA lookup error for smtp.spliethoff.nl:25)
OK, I went to dane.sys4.de, (thanks for the service) but simply got "transfennica.com don't use DNSSEC" It would be helpful the validator would do the MX lookup and check the MX hosts like postfix does.
Right, Postfix 3.1 by defaults also enables "half-dane" for signed MX hosts of unsigned domains. The validator does not support this.
The simplest solution is to test the domain of the MX host.
$ dig +noall +ans +nocl +nottl -t mx spliethoff.nl | sort -k3n spliethoff.nl. CNAME spliethoff.com. spliethoff.com. MX 10 mail.spliethoff.nl. spliethoff.com. MX 20 fw.spliethoff.nl. spliethoff.com. MX 80 smtp.spliethoff.nl.
This is a secure delegation to a zone which contains a CNAME at the zone apex, along with DNSKEY and SOA records, this is not legal AFAIK. It is surely a good way to trigger DNSSEC interoperability problems. Also the RRSIG lifetime is ~10000 days, that's a lot of optimism about the security of the keys...
Amazingly, unbound seems to cope:
$ dig +noall +ans +nocl +nottl -t mx spliethoff.com | sort -k3n spliethoff.com. MX 10 mail.spliethoff.nl. spliethoff.com. MX 20 fw.spliethoff.nl. spliethoff.com. MX 80 smtp.spliethoff.nl.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10499 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;_25._tcp.mail.spliethoff.nl. IN TLSA spliethoff.nl. SOA ns01.is.nl. postmaster.is.nl. 2016053000 14400 3600 604800 856071724 spliethoff.nl. RRSIG SOA 8 2 86400 20160623000000 20160609000000 51946 spliethoff.nl. uqwk6b8F8cTJBBtdT/CV2LnPQdpD1LOpV1rVROH/XLg/hA1e2ncmy8wf zIBZA0XI8yKsNbAlgvRDomOCqrjjioqOl8Gav5mfEaSofxblBjc2d1oK vBhBI5mrFyWlQpO9SiEqrYniecPs70+LcLhvwBRrh7SHH+xJ5EZ9hlcC d/E= mail.spliethoff.nl. NSEC mijn.spliethoff.nl. A RRSIG NSEC mail.spliethoff.nl. RRSIG NSEC 8 3 856071724 20160623000000 20160609000000 51946 spliethoff.nl. kzMKDzXkFioPrEA3rgrwuDh6PwP0fFEfLRH2Z20BX1BkyGmj7YlStUyq I45VogyfZ13MjgdrXX05qWJLACpPkAiMkN5jxSFr/Ke2U/ErviHpbW4B ndGydcZq7/90N8ZTgbeRPEAEyTy8LNqPH8VPw4iGC2g4LeYNH9vw56W5 tY4= spliethoff.nl. NSEC _autodiscover._tcp.spliethoff.nl. NS CNAME SOA MX TXT RRSIG NSEC DNSKEY spliethoff.nl. RRSIG NSEC 8 2 856071724 20160623000000 20160609000000 51946 spliethoff.nl. NmVyFCOMwmp6uvOeojQKcgZiim3hcsS+I5WVXHDnsrBHXa2avpyAySPv TQwT1r/CkjpyesVSShT8P8jN2QucZ/zcB0oLysY04+rYrjBiB0nW+MlK 16DSsq3m/8dQc094FhehWFVnCnvLxoIicDZjJHviYecC4c4z4i7DT4Dp U4g=
With DNS issues like this, go to dnsviz.net:
Cached data:
http://dnsviz.net/d/_25._tcp.mail.spliethoff.nl/dnssec/
Forced refresh:
http://dnsviz.net/d/_25._tcp.mail.spliethoff.nl/analyze/
The admin of this domain has gone far out of his way to mess it up...
participants (2)
-
Andreas Schulze
-
Viktor Dukhovni